Qilin

Threat Actor updated 3 days ago (2024-10-21T09:01:55.896Z)

Download STIX

Preview STIX

Qilin, a threat actor in the cybersecurity landscape, has emerged as a significant player in the ransomware space. The Octo Tempest group recently added Qilin ransomware to its arsenal, enhancing its capabilities and reach. This addition suggests that high-level groups like Qilin may have the capacity for turnkey jobs and often partner with initial access brokers (IABs) to facilitate their operations. In one observed instance, the Qilin ransomware gang breached its target through a VPN portal, demonstrating its sophisticated attack methods. The Qilin ransomware has shown an aggressive streak with its victim count increasing by 44% to reach 140 in Q3. It has claimed attacks on several high-profile targets, including the automotive giant Yanfeng. Interestingly, the rise of Qilin and similar ransomware like RansomHub appears to have come at the expense of LockBit, which had boasted three times more successful attacks than its closest rival Qilin in the second quarter. However, the tables seem to have turned, with Qilin's fortunes on the rise. Despite its escalating activities, Qilin has faced legal challenges. In August, Synnovis obtained a preliminary injunction from the English High Court against the Qilin ransomware group, Telegram, and a leak site to prevent the publication of stolen data. This led to Telegram blocking the channel used by Qilin to leak the stolen data from its victims. Nonetheless, Qilin continues to be a formidable force in the ransomware arena, requiring continued vigilance and robust cybersecurity measures.

Description last updated: 2024-10-21T08:38:29.889Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ransomhub is a possible alias for Qilin. RansomHub is a threat actor that emerged as a new group in the cybersecurity landscape in February 2024, following the initial takedown of LockBit. Many former LockBit affiliates seemed to have either started working independently using freely available ransomware source code such as Phobos or align	3
Octo Tempest is a possible alias for Qilin. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Extortion

Malware

RaaS

Ransom

Credentials

Linux

Nhs

Chrome

Vpn

Data Leak

Cybercrime

Phishing

Esxi

Encryption

Rust

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Qilin. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for	Unspecified	4
The Black Basta Malware is associated with Qilin. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vul	Unspecified	2
The Hive Malware is associated with Qilin. Hive is a form of malware, specifically ransomware, that infiltrates computer systems to exploit and damage them. It gained notoriety when it was used by the cybercriminal group Volt Typhoon to exfiltrate NTDS.dit and SYSTEM registry hive data, allowing them to crack passwords offline. This malware	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Qilin. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	Unspecified	3
The Bianlian Threat Actor is associated with Qilin. BianLian is a prominent threat actor that has been actively exploiting vulnerabilities in JetBrains TeamCity, leading to several ransomware attacks. This group has made significant strides in the cybersecurity landscape, making its mark as one of the top three ransomware groups targeting the healthc	Unspecified	2
The Scattered Spider Threat Actor is associated with Qilin. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. It	Unspecified	2

Source Document References

Information about the Qilin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	7 days ago	RansomHub Overtakes LockBit as Most Prolific Ransomware Group
Securityaffairs	24 days ago	Security Affairs newsletter Round 491 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a month ago	Security Affairs newsletter Round 490 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	a month ago	Infostealers: An Early Warning for Ransomware Attacks
Securityaffairs	a month ago	Qilin ransomware attack on Synnovis impacted over 900K patients
DARKReading	a month ago	Socially Savvy Scattered Spider Traps Cloud Admins in Web
Malwarebytes	2 months ago	CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets \| Malwarebytes
Checkpoint	2 months ago	26th August – Threat Intelligence Report - Check Point Research
Securityaffairs	2 months ago	Qilin ransomware steals credentials stored in Google Chrome
Securityaffairs	2 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
InfoSecurity-magazine	3 months ago	#BHUSA: 17.8m Phishing Emails Detected in First Half of 2024
Securityaffairs	3 months ago	security-affairs-malware-newsletter-round-5
BankInfoSecurity	3 months ago	Synnovis Attack Halts 8,000 NHS Patient Procedures So Far
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	3 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	3 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	3 months ago	Qilin Ransomware’s Sophisticated Tactics Unveiled By Experts
Securityaffairs	3 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
DARKReading	3 months ago	Microsoft: Scattered Spider Widens Web With RansomHub & Qilin